Lemmy Release v0.19.18 - 2 security fixes

With this version user badges are always shown next to usernames. There are also various bug fixes, and again security fixes

• Display UserBadges for Bot, Banned and Deleted users in all PersonListings by @MrKaplan-lw in #4035
• Increase timeouts for db pool by @nutomic in #6441
• Add private IP check for webmention by @nutomic in #6444
• Proper fix for nested comment fetch by @nutomic in #6451

Security

• Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948
• Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq